Intro and SANS GCFA FOR508 Course Review
I'm new here after just finding this site while looking for info on SANS forensics certifications. Just thought I'd take a minute to introduce myself, and post a link to a pretty good review on FOR508 I found.
I've been in IT for 25+ years (yes, I'm old) and have done most everything from setting up small networks to managing large ones. About 6 years ago I began retraining myself in digital forensics and began my own business doing forensics, incident response and e-discovery. Earlier this year I took a full-time contracting position with a federal agency in a cyber-security group. My main job is threat analysis but I also do some forensics and response as needed.
I'm finding some gaps in my knowledge so I'm about to pull the trigger and take a SANS forensics course and associated exam. I'll be paying for the class out of my own pocket (no paid training for contractors). I hold other certifications already (Cyber Security Forensic Analyst, EC Council Certified Hacking Forensic Investigator, AccessData Certified Examiner) so it won't be my first test. Although I use elements of both FOR408 and FOR508 in my work (mostly 50
. I'll probably take FOR408 to get my baseline SANS knowledge down.
I've heard of other SANS class attendees making something called an "index" that they then use during the cert test. Can somebody explain to me what this is?
And to sign off on a good note I thought I'd share a great review I found yesterday by a guy who describes nicely the SANS FOR508 class and a few of the differences between it and the FOR408 class. Enjoy!
Review Link: Invoke-IR | PowerShell Incident Response
I've been in IT for 25+ years (yes, I'm old) and have done most everything from setting up small networks to managing large ones. About 6 years ago I began retraining myself in digital forensics and began my own business doing forensics, incident response and e-discovery. Earlier this year I took a full-time contracting position with a federal agency in a cyber-security group. My main job is threat analysis but I also do some forensics and response as needed.
I'm finding some gaps in my knowledge so I'm about to pull the trigger and take a SANS forensics course and associated exam. I'll be paying for the class out of my own pocket (no paid training for contractors). I hold other certifications already (Cyber Security Forensic Analyst, EC Council Certified Hacking Forensic Investigator, AccessData Certified Examiner) so it won't be my first test. Although I use elements of both FOR408 and FOR508 in my work (mostly 50
. I'll probably take FOR408 to get my baseline SANS knowledge down.I've heard of other SANS class attendees making something called an "index" that they then use during the cert test. Can somebody explain to me what this is?
And to sign off on a good note I thought I'd share a great review I found yesterday by a guy who describes nicely the SANS FOR508 class and a few of the differences between it and the FOR408 class. Enjoy!
Review Link: Invoke-IR | PowerShell Incident Response
Comments
I've become less dependent on using indexes for these exams over the years. I really use them more as a book/page reference so I can look up the actual book material when in doubt in answering an exam question.
I recommend creating your own index, but some people share their's with others. Personally, I think an index is best leveraged to identify your own weak points on different subject areas, so the collection of paper is really tuned to you as an exam candidate more than anything else.
Anyway, thanks for the reply back docrice.
> GMOB [MAR_2014] OSCP [MAY_2014] GREM [OCT_2014]
Thanks for the reply Psyco32. I'll check the links out. I was just playing with Redline and Volatility both today, getting a new analysis machine configured. FYI, I noticed in the release notes for the new version of Redline that it's NOT compatibile with .Net v4.5. Go figure. I'm checking out Redline to see how hard/easy it will be to use their collector on a suspect machine. I never could get it to work on the previous version so hoping for better luck on this one.
> GMOB [MAR_2014] OSCP [MAY_2014] GREM [OCT_2014]
FYI, my index looks a lot like Psyco's and is currently sitting at 22 pages!
FYI, I had 86% on my second practice test, so was a bit disappointed that I didn't hit the 90%+ mark. But it did motivate me to spend my final week massaging my index and going over everything yet again. On my 2nd practice I also went TOO FAST and finished before the allotted time.
So, I corrected for time in the test, figuring I needed 20 questions done per 1/2 hour. After the first three 15-question marks (when your score shows up) I was running 100%. I knew a lot of the answers from memory, which gave me time to check and double-check the ones I wasn't sure of. If you can't figure one out skip it and move on so you don't get discouraged.
For sure there will be questions that CAN'T be answered from your coursework. Take pictures of these during your practice tests or whatever you need to do to remember them and find the answers. They will give you an idea of the types of questions you won't be able to answer off the top of your head. Thankfully the practice tests give you the answers (take a photo of those too) so you can see what you need to learn.
Hope this helps. With my score I hope to be able to help out in the mentor program. I really do know this stuff and love to teach others. Now I get a break and start to ponder when to do the GCFA, possibly in the Fall, after motorcycle-riding season is slowing down.
Best of luck to you ITforyears, hope you do well!
How was this experience compared to other forensic-related exams? Looks like you already had prior knowledge in this area so I'm guessing you weren't going into it cold.
Masters of Information Systems Management with Enterprise Information Security - Walden University
Masters of Science in Information Assurance - Western Governors University
Masters of Science Cyber Security/Digital Forensics - University of South Florida